Scality pushes out latest ARTESCA object storage, claiming to give ransomware a 5-level brush-off

ARTESCA object storage supplier Scality says its latest v3.0 release has five levels of ransomware protection, and claims API-level immutability is not good enough.

Update. Time shift attacks and Network Time Protocol attack points amended. 3 June 2024.

The ARTESCA product is a cloud-native version of Scalitiy’s RING object storage, co-designed with HPE, and S3-compatible. It can be a backup target for Veeam and there is a hardware appliance version specifically for Veeam customers.

Paul Speciale

Scality CMO Paul Speciale said in canned quote: “Every vendor selling immutable storage claims its solution will make your data ransomware-proof, but it’s clear — immutability is not enough to keep data 100 percent protected.

“94 percent of IT leaders rely on immutable storage as a foundational aspect of their cybersecurity strategy.  If immutable backups were the answer, then why did ransom payments double in 2023 to more than $1 billion? It’s time that the storage industry goes beyond immutability to deliver end-to-end cyber resilience.”

A Scality blog states: “Today, a staggering 91 percent of ransomware attacks involve data exfiltration. This meteoric rise can be seen as a direct attempt by threat actors to sidestep the protections afforded by immutability.” 

Speciale’s suggestion that immutability failings have helped cause a doubling of ransomware payments seems unlikely when a blog by his own company attributes 91 percent of ransomware attacks to exfiltration attacks. Immutability will not stop an exfiltration attack.

Be that as it may, ARTESCA v3.0’s five levels of defense are:

  • API-level: Immutability implemented via S3 object lock ensures backups are immutable the instant they’re created. Multi-factor authentication (MFA) and access control help administrators prevent breaches on employees.
  • Data-level: Multiple layers of data-level security measures are employed to prevent attackers from accessing and exfiltrating stored data
  • Storage-level: Encoding techniques prevent destruction or exfiltration of backups by rendering stored data indecipherable to attackers, even when using stolen access privileges to bypass higher-level protections.
  • Geographic-level:  Multi-site data copies prevent data loss even if an entire data centre is targeted in an attack.
  • Architecture-level: An intrinsically immutable core architecture ensures data is always preserved in its original form once stored, even if the attacker attains the necessary access privileges to bypass API-level immutability.

Speciale makes the point in a Solved magazine article that file-based storage systems basically allow file data to be re-written while object storage always creates a new object when data in an existing object changes. It is architecturally immutable whereas file storage is not.

He writes: “This means data remains intrinsically immutable, even to an attacker with superadmin privileges, due to the way the system handles data writes to the drive. The effect is simple — no deletes or overwrites, ever. Additionally, all Scality products disallow root access by default, reducing exposure to common vulnerabilities and exposures (CVEs) and a wide range of threats.”

Scality claims that the following offerings are considered insufficient when it comes to immutability: 

  • NAS/file system snapshots
  • Dedupe appliances
  • Linux-hardened repositories 
  • Tape
  • S3 proxies (S3 API implemented on mutable architectures)

Only solutions based on native object storage design are truly immutable because they preserve data in its original form the very moment it is written, and never overwrite existing data. 

Scality immutability checklist graphic.

File storage is much weaker on this front in Speciale’s view: “because the underlying file system is still inherently mutable, data remains vulnerable to attacks below the API layer. This creates multiple viable avenues for a skilled attacker to bypass the system’s defenses using common tactics like privilege escalation and time-shift attacks.”

Privilege escalation means getting higher-level access such as root level. A time-shift attack focused on Network Time Protocol servers, resetting time to hours before the present time and, maybe, enabling access to data before it was made immutable. Scality tells us: “Immutability is driven by specific time periods – let’s say a bad actor does something as simple as going in and changing the system clock. If a server believes it’s day 31, then a 30-day object lock is invalid and the data is no longer immutable. Similarly, it’s also possible to compromise credentials and change the policy on immutability. 

“These vulnerabilities are very much legitimate, so these soft spots absolutely must be addressed if storage vendors want to truly earn their “ransomware-proof” claims.”

There were no search results we could find that explicitly mention the use of NTP time shifts as a tactic employed by ransomware attackers. This is not to say it could not happen but, overall, there seems to be no empirical evidence that says a ransomware attack circumvented a file’s immutability by using an attack below the API layer. 

Also object storage always has had the create-a-new-object-when-an-old-one-is-changed attribute and there is nothing new in ARTESCA v3 here. S3 object locking was introduced in ARTESCA v2.0 and that’s not new to v3 either.

ARTESCA v3.0 features:

  • Design in accordance with US Executive Order 14028 Improving the Nation’s Cybersecurity and zero-trust architecture principles, including enforced authentication and end-to-end encryption of data. 
  • Multi-factor authentication (MFA) for admin users that can now be globally enforced to provide additional login protection for admins and data managers
  • Integration with Microsoft Active Directory (AD), configurable directly through the secure ARTESCA administrative UI. 
  • Center for Internet Security (CIS) compliance testing through OpenSCAP project tools for continual conformance with CIS cybersecurity recommendations, including password strength compliance based on length, complexity and history.
  • Extended security-hardening of the integrated OS that disallows root access including remote shell or su as root; admin access is only granted through a system-defined Artesca-OS user identity adhering to the principle of least privileges.
  • A software bill of materials (SBOM) of components and suppliers, scanned and continuously patched for CVEs, to provide customers with visibility into their software supply chain, and automated OS updates to patch vulnerabilities.
  • Increased growth to 8.5PB of usable capacity, with support for high-density servers, a wide choice of storage hardware including multiple types of flash drives. 
  • Enhanced dual-level erasure-coding.

Speciale proclaims: “ARTESCA’s CORE5 capabilities set the bar for a new standard of truly cyber-resilient storage in modern data centres. Windows of exposure are effectively eliminated by providing not only the strongest form of data immutability, but also cyber resilience at all levels of the system. Together with Veeam, our customers achieve unbreakable data protection.”

Scality says ARTESCA 3.0 for Veeam is:

  • Veeam Ready validated for Veeam high-performance tier deployments on hybrid and all-flash storage servers at an affordable cost
  • VMware Instant Recovery Ready with ultra-high performance on all-flash servers
  • Simple-to-use compatibility with Veeam Backup & Replication, Veeam Backup for Microsoft 365 and Veeam Kasten in a single system
  • Quickly and effortlessly configured as a ransomware-hardened Veeam repository, thanks to its unique built-in Veeam Assistant tool
  • Offered as a turnkey hardware appliance for Veeam with a Quickstart Wizard to simplify integration into network environments

ARTESCA 3.0 can be deployed as a turnkey hardware appliance for Veeam built on Supermicro servers, software on industry-standard servers, or a virtual appliance for VMware-powered data centres.

It will be available in Q3 2024 through global resellers, supported by distribution partners Ingram Micro, Carahsoft, TD Synnex, Arrow, and other regional distributors.